CVE-2026-27625
Received Received - Intake
Path Traversal in Stirling-PDF Allows Arbitrary File Write

Publication date: 2026-03-20

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27625
EUVD
EUVD-2026-13638
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
stirling stirling_pdf to 2.5.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27625 is a path traversal vulnerability in the Stirling-PDF web application, specifically in the /api/v1/convert/markdown/pdf endpoint. This endpoint extracts user-supplied ZIP files without validating the paths of the ZIP entries.

Because of this lack of validation, an authenticated user can craft a malicious ZIP file containing entries with directory traversal sequences (like ../../) that allow writing files outside the intended temporary working directory.

This arbitrary file write occurs with the privileges of the Stirling-PDF process user (stirlingpdfuser), enabling overwriting of writable files and compromising data integrity.

Impact Analysis

An authenticated attacker can exploit this vulnerability to overwrite arbitrary files on the system with the permissions of the Stirling-PDF process user.

This can lead to compromise of data integrity by modifying or replacing files unexpectedly.

Depending on which writable paths are accessible, the attacker could cause further system impact, potentially affecting availability and integrity of the system.

The vulnerability has a high severity rating with a CVSS v3.1 base score of 8.1, indicating significant risk.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for attempts to exploit the path traversal issue in the /api/v1/convert/markdown/pdf endpoint of Stirling-PDF versions prior to 2.5.2.'}, {'type': 'paragraph', 'content': 'Specifically, detection can focus on identifying authenticated requests that upload ZIP files containing entries with directory traversal sequences such as "../../" which attempt to write files outside the intended temporary directory.'}, {'type': 'paragraph', 'content': 'Additionally, server logs may show 500 errors with FileAlreadyExistsException messages indicating attempted overwrites of existing files due to path traversal.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Inspect web server or application logs for POST requests to /api/v1/convert/markdown/pdf containing suspicious ZIP file uploads.'}, {'type': 'list_item', 'content': 'Use grep or similar tools to search logs for directory traversal patterns, e.g., `grep -r "\\.\\./" /path/to/stirlingpdf/logs`.'}, {'type': 'list_item', 'content': 'Monitor for 500 Internal Server Errors related to FileAlreadyExistsException in application logs.'}, {'type': 'list_item', 'content': 'If possible, capture and analyze network traffic to detect ZIP file uploads with malicious entry names containing traversal sequences.'}] [1]

Mitigation Strategies

The immediate and most effective mitigation is to upgrade Stirling-PDF to version 2.5.2 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the /api/v1/convert/markdown/pdf endpoint to trusted authenticated users only, and monitor for suspicious activity as described.

Additionally, review and tighten file system permissions for the Stirling-PDF process user (stirlingpdfuser) to limit writable directories and reduce the impact of potential exploitation.

Consider implementing network-level controls such as firewalls or API gateways to restrict access and detect anomalous requests.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27625. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart